"Operation not permitted" error occurs on vSAN File Service when changing NFS4 share ownership
search cancel

"Operation not permitted" error occurs on vSAN File Service when changing NFS4 share ownership

book

Article ID: 394693

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

Issue is witnessed when mounting an NFS 4.1 with Kerberos (krb5p) authentication. The share gets mounted with permissions as nobody:nobody

NFS4 share mounted with Kerberos authentication

Client assigned share with owner and group nobody:nobody

 

Environment

vSAN 7

vSAN 8

 

Cause

The NFSv4 authentication conflict can occur in a network environment that has two separate network domains, one for Active Directory, and one for DNS search services. Typical NFS4 network authentication relies on only a single domain for client user and computer authentication. In a network with two such domains, the NFS client, for example a Linux NFS node, has to be aware of and correctly configured for authentication from the Active Directory domain which authenticates Users and Computers and not the DNS search domain. This is important when using NFSv4, which usernames for authentication, as opposed to NFSv3 which uses AUTH_UNIX. 

 

For example: 
If domain activeDirectory.local is used for Active Directory and DNSserchDomain.local is used for DNS search services, when the client authenticates on NFS4, the NFS share will require User@activeDirectorylocal, but the local client, in this case a Linux NFS client, will use the default settings the ID Mapping file, /etc/idmapd.conf. That default settings being the DNS Search domain that comes from the DHCP server, I.E. [email protected]. This creates the authentication problem as this should be the Active Directory user. 

 

According to the IETF protocol, IETF - RFC 7530 -  Network File System (NFS) Version 4 Protocol, NFS authentication standards are defined as follows. 

-NFSv3 primarily relies on AUTH_UNIX, which uses the client's user ID (UID) and group ID (GID) to identify the user. 
-NFSv4 uses usernames instead of UIDs, making it more difficult to spoof credentials. This requires the client to resolve the domain.

 

 

Resolution

Change the following line in /etc/idmapd.conf on the client machine to active directory domain used to configure vsan file services. 
 
[General]
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
Domain = [activeDirectory.local]

Additional Information

Powered by Wolken Software